1 配置
从Android Nougat(7.0)开始,谷歌改变了网络安全策略。
自签的CA证书将默认不被TLS/SSL连接信任,这意味着charles等工具可能无法抓取HTTPS的明文数据。
查看路径:
<application android:networkSecurityConfig="@xml/network_security_config"
res/xml/network_security_config.xml:
http://dl-xda.xposed.info/modules/mobi.acpm.sslunpinning_v2_37f44f.apk
如何只在调试模式下允许抓包呢?
使用即可实现只在android:debuggable为true时才生效的配置:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<!-- 支持 Android 7.0 以上调试时,信任 Charles 和 Fiddler 等用户信任的证书 -->
<debug-overrides>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
dy的配置文件
<?xml version="1.0" encoding="UTF-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates overridePins="true" src="system" />
</trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
参考:
https://www.jianshu.com/p/59e9ef771ff2
2 HTTPS单向认证强校验Hook示例
本次示例通过在本地搭建Tomcat + SSL自签名证书环境,使用一个开源的Android HTTPS双向认证项目:https://github.com/Frank-Zhu/AndroidHttpsDemo ,对其中部分代码进行修改后重新编译,构建本次测试的 APP应用。
2.2.1 基本原理
想要绕过证书锁定抓明文包就需要先知道APP是如何进行锁定操作的,然后再针对其操作进行注入解锁。
Android客户端关于证书处理的逻辑按照安全等级分类,如表2.1所示。
表2.1 Android客户端证书处理的安全等级分类
安全等级 策 略 信任范围 破解方法
Level 0 完全兼容策略 信任所有证书包括自签发证书 无须特殊操作
Level 1 系统/浏览器默认策略 信任系统或浏览内置CA证书以及用户安装证书
(Android 7.0开始默认不信任用户导入的证书) 设备安装代理证书
Level 2 CA根证书固定 信任指定CA颁发的证书 Hook注入等方式篡改锁定逻辑
Level 3 子证书固定 信任指定站点证书 Hook注入等方式篡改锁定逻辑
如遇双向锁定需将APP自带证书导入代理软件
Apache http client 因为从api23起被Android抛弃,因此使用率较低。目前更多使用的是HttpURLConnection类或第三方库OKhttp3.0进行HTTPS通信。其中OKhttp3.0的部分运用与HttpURLConnection相同,客户端都可以通过实现X509TrustManager接口的checkServerTrusted方法,将服务器证书与APP预埋证书做对比,来完成强校验。此外,也可以再通过实现HostnameVerifier接口的verify方法,校验服务器证书中的一般名称(CN)是否与域名相符。通过使用上述方法,完成客户端对服务端的证书强校验。
三个案列代码:
1.校验服务端的证书
https://medium.com/@zhangqichuan/explain-ssl-pinning-with-simple-codes-eaee95b70507
// Read the pinned certificate from local (i.e., assets folder)
val inputStream = context.assets.open("google.crt")
val pinnedCertificate = CertificateFactory.getInstance("X.509")
.generateCertificate(inputStream)
// Create a request to www.google.com
val url = URL("https://www.google.com")
val httpsUrlConnection = url.openConnection() as HttpsURLConnection
// Establish the connection
httpsUrlConnection.connect()
// Check the certificates and see if one of the server certificates
// matches the pinned certificate
//匹配是否是服务端的证书。
if (httpsUrlConnection.serverCertificates.contains(pinnedCertificate)) {
// Open stream
httpsUrlConnection.inputStream
Log.d("Pinning", "Server certificates validation successful")
} else {
Log.d("Pinning", "Server certificates validation failed")
throw SSLException("Server certificates validation failed for google.com")
}
2.Android端SSL认证请求
三种认证的方式:
package com.frankzhu.androidhttpsdemo;
import android.content.Context;
import android.util.Log;
import java.io.BufferedInputStream;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;
/**
* Author: ZhuWenWu
* Version V1.0
* Date: 2014/12/15 16:19.
* Description:
* Modification History:
* Date Author Version Description
* -----------------------------------------------------------------------------------
* 2014/12/15 ZhuWenWu 1.0 1.0
* Why & What is modified:
*/
public class HttpClientSslHelper {
private static final String KEY_STORE_TYPE_BKS = "bks";
private static final String KEY_STORE_TYPE_P12 = "PKCS12";
/**
* 记得添加相应的证书到assets目录下面
*/
public static final String KEY_STORE_CLIENT_PATH = "xxx.p12";//P12文件
private static final String KEY_STORE_TRUST_PATH = "xxx.truststore";//truststore文件
public static final String KEY_STORE_PASSWORD = "123456";//P12文件密码
private static final String KEY_STORE_TRUST_PASSWORD = "123456";//truststore文件密码
public static final String KEY_CRT_CLIENT_PATH = "xxx.crt";//CRT文件
public static boolean isServerTrusted = false;
public static OkHttpClient getSslOkHttpClient(Context context) {
OkHttpClient.Builder builder = new OkHttpClient.Builder();
builder.sslSocketFactory(getSslContextByCustomTrustManager(context).getSocketFactory())
.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
Log.d("HttpClientSslHelper", "hostname = " + hostname);
// return isServerTrusted;//如果是全部自己校验逻辑的,需要根据证书状态返回相应的校验结果
if ("yourhost".equals(hostname)) {
return session.isValid();
} else {
HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
return hv.verify(hostname, session);
}
}
});
return builder.build();
}
private static SSLContext sslContext = null;
public static SSLContext getSslContext(Context context) {
if (sslContext == null) {
try {
// 服务器端需要验证的客户端证书
KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE_P12);
// 客户端信任的服务器端证书
KeyStore trustStore = KeyStore.getInstance(KEY_STORE_TYPE_BKS);
InputStream ksIn = context.getResources().getAssets().open(KEY_STORE_CLIENT_PATH);
InputStream tsIn = context.getResources().getAssets().open(KEY_STORE_TRUST_PATH);
try {
keyStore.load(ksIn, KEY_STORE_PASSWORD.toCharArray());
trustStore.load(tsIn, KEY_STORE_TRUST_PASSWORD.toCharArray());
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
ksIn.close();
} catch (Exception e) {
e.printStackTrace();
}
try {
tsIn.close();
} catch (Exception e) {
e.printStackTrace();
}
}
sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
keyManagerFactory.init(keyStore, KEY_STORE_PASSWORD.toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
} catch (Exception e) {
e.printStackTrace();
}
}
return sslContext;
}
public static SSLContext getSslContextByDefaultTrustManager(Context context) {
if (sslContext == null) {
try {
// 服务器端需要验证的客户端证书
KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE_P12);
InputStream ksIn = context.getResources().getAssets().open(KEY_STORE_CLIENT_PATH);
try {
keyStore.load(ksIn, KEY_STORE_PASSWORD.toCharArray());
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
ksIn.close();
} catch (Exception e) {
e.printStackTrace();
}
}
sslContext = SSLContext.getInstance("TLS");
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
keyManagerFactory.init(keyStore, KEY_STORE_PASSWORD.toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (Exception e) {
e.printStackTrace();
}
}
return sslContext;
}
public static SSLContext getSslContextByCustomTrustManager(Context context) {
if (sslContext == null) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(context.getResources().getAssets().open(KEY_CRT_CLIENT_PATH));
final Certificate ca;
try {
ca = cf.generateCertificate(caInput);
} finally {
caInput.close();
}
sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new X509TrustManager[]{new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
Log.d("HttpClientSslHelper", "checkClientTrusted --> authType = " + authType);
//校验客户端证书
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
Log.d("HttpClientSslHelper", "checkServerTrusted --> authType = " + authType);
//校验服务器证书
for (X509Certificate cert : chain) {
cert.checkValidity();
try {
cert.verify(ca.getPublicKey());
isServerTrusted = true;
} catch (NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException e) {
e.printStackTrace();
isServerTrusted = false;
}
}
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}}, null);
} catch (Exception e) {
e.printStackTrace();
}
}
return sslContext;
}
}
3.webview白名单的ssl
https://github.com/menjoo/Android-SSL-Pinning-WebViews/blob/master/app/src/main/java/com/example/mennomorsink/webview/MainActivity.kt
三个案列:
https://github.com/smuldr/android-ssl-pinning
现成的sdk
https://github.com/datatheorem/TrustKit-Android
https://github.com/datatheorem/TrustKit
参考:
https://www.v2ex.com/t/558222
http://blog.nsfocus.net/frida-application-foundation-app-https-certificate-verification-cracking/